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Abstract. In this paper we study extensively the discrete logarithm 
problem in the group of non-singular circulant matrices. The emphasis 
of this study was to find the exact parameters for the group of circulant 
matrices for a secure implementation. We tabulate these parameters. We 
also compare the discrete logarithm problem in the group of circulant 
matrices with the discrete logarithm problem in finite fields and with the 
discrete logarithm problem in the group of rational points of an elliptic 
curve. 



1. Introduction 

Two of the most popular groups used in the discrete logarithm problem 
are the group of units of a finite field and the group of rational points of 
an elliptic curve over a finite field. The obvious question arises, are there 
any other groups? I write this paper to show, that there are matrix groups - 
the group of non- singular circulant matrices, which is much better than the 
finite fields in every aspect and even better than the elliptic curves when one 
considers the size of the field for a secure implementation. The size of the 
field for a secure implementation is a huge issue in public key cryptography. 
One of the reasons, elliptic curves are preferred over a finite field discrete 
logarithm problem, is the size of the field for a secure implementation. In 
our current state of knowledge, it is believed that the discrete logarithm 
problem over F 2 io28 offers the same security that of most elliptic curves 
over F 2 i6o. As our processors get faster and with the advent of distributed 
computing these sizes will grow bigger with time. In the case of an elliptic 
curve the rate of growth is much smaller than that of finite fields. We will 
see, for circulant matrices the size of the field for a secure implementation 
can get even smaller. The comparison of speed, between circulants and 
elliptic curves, in an actual implementation is yet to be done. But, since the 
circulants use smaller field, it is likely that the circulants are faster. 
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It is known (6l[T0l that the group of circulant matrices offers the same 
security of a finite field of about same size, with half the computational 
cost. The other interesting fact about circulant matrices is the size of the 
field for a secure implementation. The arithmetic of the circulant matrices 
is implemented over a finite field, very similar to the case of elliptic curves, 
where the arithmetic is also implemented over a finite field. In the case of 
circulants, the size of the field can be smaller than the one used for elliptic 
curves. This is extensively studied in Section 5, and the results are tabulated 
in Table [21 To sum it up, the advantage of circulants is that it uses smaller 
field and is faster. 

In this paper, we denote the group of non-singular circulant matrices of 
size d by C(d, q) and the group of special circulant matrices, i.e., circulant 
matrices with determinant 1, by SC(d, q) respectively. 

Definition 1 (Circulant matrix C(d, q)). A d x d matrix over a field F is 
called a circulant matrix, if every row except the first row, is a right circular 
shift of the row above that. So a circulant matrix is defined by its first row. 
One can define a circulant matrix similarly using columns. 

A matrix is a two dimensional object, but a circulant matrix behaves like 
a one dimensional object - given by the first row or the first column. We 
will denote a circulant matrix C of size d, with the first row c , C\, . . . , Cd-i, 
by C = circ (co, ci, c 2 , . . . , An example of a circulant 5x5 matrix 

is: 



/ Co 


Cl 


c 2 


C 3 


c 4 \ 


c 4 


Co 


Cl 


c 2 


c 3 


c 3 


c 4 


c 


Cl 


c 2 


c 2 


c 3 


Ci 


c 


Cl 




c 2 


c 3 


c 4 


c / 



One can define a representer polynomial corresponding to the circulant ma- 
trix C as <pc = c + C\X + c 2 x 2 + . . . + Q_ix d_1 . The circulants form 
a commutative ring under matrix multiplication and matrix addition and is 
isomorphic to (the isomorphism being circulant matrix to the representer 

Fix] 

polynomial) 1Z = . For more on circulant matrices, see [2]. 

x d — 1 

We will study the discrete logarithm problem in SC(d,q), the special 
circulant matrix. It is fairly straightforward to see that one can develop a 
Diffie-Hellman key exchange protocol or the ElGamal cryptosystem from 
this discrete logarithm problem. The ElGamal cryptosystem over SL(d, q), 
the special linear group of size d over ¥ q is described below. Since the spe- 
cial circulant matrix is contained in the special linear group, this description 
of the ElGamal cryptosystem works for SC(d, q) as well. 

All fields considered in this paper are finite and of characteristic 2. 
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2. The ElGamal over SL(d, q) 

Private Key: m, m G N. 

Public Key: A and A m . Where A G SL(d, q). 

Encryption. 

a: To send a message (plaintext) v G FJ?, Bob computes A r and A mr 

for an arbitrary r G N. 
b: The ciphertext is (v4 r , A mr v T ) . Where v T is the transpose of v. 

Decryption. 

a: Alice knows m, when she receives the ciphertext (A r , A mr v T ^, 
she computes A mr from A r , then A~ mr and then computes v from 
A mr v T . 

We show that the security of the ElGamal cryptosystem over SL(rf, q), 
is equivalent to the Diffie-Hellman problem in SL(d, q). Since SC(d, q) is 
contained in SL(d, q), this proves that the security of ElGamal cryptosystem 
is equivalent to the Diffie-Hellman problem in SC(d, q). 

Assume that Eve can solve the Diffie-Hellman problem, then from the 
public information, she knows A m . From a ciphertext (A r , A rm v T ) she gets 
A r . Since she can solve the Diffie-Hellman problem, she computes A rm 
and can decrypt the ciphertext. The converse follows from the following 
theorem, which is an adaptation of fl4, Proposition 2.10] 

Theorem 1. Suppose Eve has access to an oracle that can decrypt arbitrary 
ciphertext of the above cryptosystem for any private key, then she can solve 
the Diffie-Hellman problem in SL(d, q). 

Proof. Let g = A a and h = A b . Eve takes an arbitrary element v in the 
vector space of dimension d on which SL(d, q) acts. We use the same basis 
used for the representation of SL(d, q). Then v = (vi, v 2 , . . . , v d ) where 
Vj G F*. Let ^ = (0, . . . , Vj, . . . , 0) and c = vf . She pretends that A 
and A a is a public key. Sends that information to the oracle. Then asks the 
oracle to decrypt (h, c). Oracle sends back to Eve, h~ a c. Eve knowing v, 
computes the 2 th column of A~ ab from hr a c. In d tries A ab is found. This 
solves the Diffie-Hellman problem. □ 

3. Security of the proposed ElGamal cryptosystem 

This paper is primarily focused on the discrete logarithm problem in the 
automorphism group of a vector space over a finite field. There are two 
kinds of attack on the discrete logarithm problem. 

(i) The "so called" generic attacks, like the Pollard's rho algorithm. 
These attacks use a black box group algorithm. The time complexity 
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of these algorithms is about the same as the square-root of the size 
of the group. 

(ii) The other one is an index calculus attack. These attacks do not work 
in any group. 

Black box group algorithms work in any group, hence they will work in 
SC(d, q) as well. The most efficient way to use black box attack on the dis- 
crete logarithm problem, is to use the Pohlig-Hellman algorithm [|4l Section 
2.9] first. This reduces the discrete logarithm problem to the prime divisors 
of the order of the element (the base for the discrete logarithm) and then use 
the Chinese remainder theorem to construct a solution for the original dis- 
crete logarithm problem. One can use the Pollard's rho algorithm to solve 
the discrete logarithm problem in the prime divisors. So the whole process 
can be summarized as follows: the security of the discrete logarithm against 
generic attacks, is the security of the discrete logarithm in the largest prime 
divisor of the order. We cannot prevent these attacks. These generic attacks 
are of exponential time complexity and are not of much concern. 

The biggest threat to any cryptosystem using the discrete logarithm prob- 
lem is a subexponential attack like the index calculus attack (S). It is often 
argued flUm that there is no index calculus algorithm for most elliptic curve 
cryptosystems that has subexponential time complexity. This fact is often 
used to promote elliptic curve cryptosystem over a finite field cryptosys- 
tem Q. So, the best we can hope from the discrete logarithm problem in 
SC(d, q) is, there is no index calculus attack or the index calculus attack 
becomes exponential. 

The expected asymptotic complexity of the index calculus algorithm in 

¥ q k isexp ^(c + o(l))(logg fc )^(loglogg fc )i J , where c is a constant, see |[8l 

and (H Section 4]. If the degree of the extension, k, is greater than log 2 q 
then the asymptotic time complexity of the index calculus algorithm be- 
comes exponential. In our case this means, if d > log 2 q, the asymptotic 
complexity of the index calculus algorithm on circulant matrices of size d 
becomes exponential. 

If we choose d > log 2 q, then the discrete logarithm problem in SC(d, q) 
becomes as secure as the ElGamal over an elliptic curve, because the index 
calculus algorithm is exponential; otherwise we can not guarantee. But on 
the other hand, in the proposed cryptosystem, encryption and decryption 
works in ¥ q and breaking the cryptosystem depends on solving a discrete 
logarithm problem in ¥ q d-i. Since, implementing the index calculus attack 
becomes harder as the field gets bigger. It is clear that if we take d <C log 2 q, 
then the cryptosystem is much more secure than the ElGamal cryptosystem 
over ¥ q . 
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4. IS THE ELGAMAL CRYPTOSYSTEM OVER SC(d, q) REALLY USEFUL? 

For a circulant matrix over a field of even characteristic, squaring is 
fast. It is shown [6, Theorem 2.2] that, if A = circ (a , ai, . . . , a^-i), 

then A 2 = circ (a 2 ^, a 1(i)' ■ ■ ■ ■> a ^(d-i)) • Where 7r is a permutation of 
{0,1,2, ... ,d — 1}. Now the a^s belong to the underlying field ¥ q of char- 
acteristic 2. In this field, squaring is just a cyclic shift using a normal ba- 
sis Chapter 4] representation of the field elements. 

It was shown by Mahalanobis J6J, that if five conditions are satisfied, then 
the security of the discrete logarithm problem for circulant matrices of size 
d over ¥ q is the same as the discrete logarithm problem in ¥ q d-i . 

The five conditions are: 

a. The circulant matrix should have determinant 1 . 

b. The matrix A should have row-sum 1. 

c. The integer d is prime. 

d. The polynomial -^ A — is irreducible. 

x — 1 

e. q is primitive mod d. 

In short, the argument for these five conditions are the following: 

Let A = circ (a , ai, . . . , a^-i) and let xa be the characteristic polyno- 
mial of A. It is easy to see that the row-sum, a + a\ + • • • + a^-i, sum of 
all elements in a row, is constant for a circulant matrix. This row-sum, a is 
an eigenvalue of A and belongs to ¥ q . Clearly, a m is an eigenvalue of A m . 
This a and a m can reduce a part of the discrete logarithm problem in A, to 
a discrete logarithm problem in the field ¥ q . If the row-sum is 1, then there 

is no such issue. This is the reason behind the condition, the row-sum is 1. 

Xa 

Now assume that = /J 31 f% 2 . . . f^ n , where each f i is an irreducible 

x — 1 

polynomial and e«s are positive integer^. Then it follows, the discrete loga- 

F \x] 

rithm problem in A, can be reduced to discrete logarithm problems in — ^ — , 

Ji 

for each i. Then one can solve the individual discrete logarithms in exten- 
sions of ¥ q , put those solutions together using the Chinese remainder the- 
orem and solve the discrete logarithm problem in A. The degree of these 
extensions, the size of which provides us with the better security, is maxi- 
mized when ^ A is irreducible. This is the reason for ^ A is irreducible. 
x — 1 x — 1 

F \x] ¥ \x\ 

The ring of circulant matrices is isomorphic to — j- , moreover — p 

x d — 1 x d — 1 

F [x] ¥ [x] x d — 1 
is isomorphic to — - — x -. i , where = is the d th cyclotomic 

F x - 1 $(x) x - 1 



'Condition c. ensures that e, = 1 for all i. 
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polynomial. If d is prime and q is primitive modulo d, then the cyclotomic 
polynomial is irreducible. In this case, the discrete logarithm problem 
in circulant matrices reduce to the discrete logarithm problem in ¥ q d-i . 

4.1. What are the advantages of using circulant matrices? The advan- 
tages of using circulant matrices are: 

• Multiplying circulant matrices of size d over ¥ q is twice as fast com- 
pared to multiplication in the field of size ¥ q d. 

• Computing the inverse of a circulant matrix is easy. 

Since any circulant matrix A can be represented as a polynomial of the form 
fix) = c +cix+. . .+c c i-ix d ~ 1 . This polynomial is invertible, implies that, 
gcd (fix), x d — l) = 1. Then one can use the extended Euclid's algorithm 
to find the inverse. In our cryptosystem, we need to find that inverse, and it 
is easily computable. 

We now compare the following three cryptosystems for security and speed. 
We do not compare the key sizes and the size of the ciphertext, as these can 
be decided easily. 

1. The ElGamal cryptosystem using the circulant matrices of size d 
over ¥ q . 

2. The ElGamal cryptosystem using the group of an elliptic curve. 

3. The ElGamal cryptosystem over ¥ q d. 

4.2. ElGamal over ¥ qd vs. the circulants of size d over ¥ q . Clearly the 
circulants are the winner in this case. The circulants provide almost the 
same security as the ElGamal over the finite field ¥ q d, but multiplication in 
the circulants is twice as fast compared to the multiplication in the finite 
field ¥ q d. See Silverman II 1 Oil 1 111 for more details. 

To understand the difference, we need to understand the standard field 
multiplication. A field ¥ q d over F 9 , an extension of degree d, is a com- 
mutative algebra of dimension d over ¥ q . Let a , . . . , a^-i be a ba- 
sis of ¥ q d over ¥ q . Let A := (a a + + • • • + CLd-i a d-x)i B : = 
(6 «o + hat H h bd-iad-i) and 



be elements of ¥ q d. 

The objective of multiplication is to find Ck for k = 0, 1, . . . , (d — 1). 
Now notice that, if 



fc=0 

we can define a d x d matrix as It follows that Ck = AT^B 1 . 

The number of nonzero entries in the matrix T k , which is constant over 



C := A ■ B = (c a + Cia x H h c d _ia d _i) 



d-l 
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k, is called the complexity of the field multiplication [7, Chapter 5]. The 
following theorem is well known [7, Theorem 5.1]: 

Theorem 2. For any normal basis N of ¥ q d over ¥ q , the complexity of 
multiplication is at least 2d — 1. 

Note that in an implementation of a field exponentiation, one must use a 
normal basis to use the square and multiply algorithm. 

In our case, circulants of size d over a finite field ¥ q , the situation is 
much different. We need a normal basis implementation for ¥ q . However, 
to implement multiplication of two circulants, i.e., multiplication in 1Z = 
¥ \x] 

— we can use the basis {l, x, x 2 , . . . , 
x d — 1 

In a very similar way as before, if A :— cio + a\X + . . . + ad-\x d ~ l and 
B := b + bix + . . . b^ix^ 1 then C := A ■ B = c + c x x + . . . + c d ^ 1 x d ~ l . 
Our job is to compute c k for k = 0, 1, . . . , d — 1. It follows that 



(1) Ck = 2_, a J°j where i + j = k mod d and < i, j < d — 1 



It is now clear that the complexity of the multiplication is d. Compare this 
to the best case situation for the optimal normal basis [|7l Chapter 5], in 
which case it is 2d — 1 . So multiplying circulants take about half the time 
that of finite fields. 

It is clear that the keysizes will be the same for both these cryptosystems. 

4.3. The elliptic curve ElGamal vs. the circulants of size d. In this case 
there is no clear winner. On one hand, take the case of embedding degree. 
For most elliptic curves the embedding degree is very large. The embedding 
degree, that we refer to as the security advantage, for a circulant is tied up 
with the size of the matrix. For a matrix of size d, it is d — 1. So with 
circulants, it is hard to get very large embedding degree, without blowing 
up the size of the matrix. On the other hand, a very large embedding degree 
is not always necessary. 

On the other hand, in elliptic curves, the order of the group is about the 
same as the size of the field. For 80-bit security, we must take the field to 
be around 2 160 , to defend against any square-root algorithms. In the case 
of circulants, the order of a circulant matrix can be large. This enables us 
to use smaller field for the same security. In circulants, one can use the 
extended Euclid's algorithm to compute the inverse. 

So, as we said before, we are not in a position to declare a clear winner in 
this case. However, if the size of the field is important in the implementa- 
tion, and a moderate embedding degree suffices for security, then circulants 
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are a little ahead in the game. We explain this by some examples in the 
next section. 

It is clear that the keysize for circulant matrices will be larger than that of 
the elliptic curve cryptosystem, both satisfying the following: 

1: Security of 80 bits or more from generic algorithms. 
2: Security from index-calculus comparable to the field F 2 iooo, i.e., 
index calculus security of 1000 bits. 



5. AN ALGORITHM 

F [x] F \x] 

Recall that C(d, q) is isomorphic to — - — x q . We now describe an 

x — 1 <P(x) 

algorithm to find a circulant matrix satisfying the above five conditions. 
Algorithm 1 (Construct a circulant matrix satisfying five conditions). 

Input q, d. 

• construct ¥ q . 

• r(x) «— A primitive polynomial of degree d — 1 over ¥ q . 

• order Order of the determinant of the companion matrix ofr(x). 

• Use Chinese remainder theorem to find if)(x) such that if)(x) = 1 
mod (x — 1) andip(x) = t(x) mod 

• ip(x) <— ip(x) mod (x d — 1). 

• A ^— The circulant matrix with the first row ifi(x). 

• a 4- A order . 

Output A. 

Using Magma flU and Algorithm [U we were able to compute several cir- 
culant matrices over many different fields of characteristic 2. We produce 
part of that data in Table \T\ The row with q is the size of the field exten- 
sion and the row with d is the size of the circulant matrix over that field 
extension. 

To construct the table, we considered all possible field extensions of size 
q, where q varies from 2 40 to 2 100 . For each such extension, we took all 
the primes, d, from 11 to 50. We then checked and tabulated the ones for 
which q is primitive modulo d. For every extension q and for all primes d, 
satisfying the primitivity condition, Algorithm Q] was used and the output 
matrix was checked for all the five conditions and moreover the order of the 
matrix A was found to be at least q d ~ 3 . So, if q is primitive modulo d, our 
algorithm produces the desired matrix A, satisfying all five conditions. The 
computation was fast on a standard workstation. 
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2 4l 


2 43 


2 47 


2 49 


2 53 


2 55 


d 


11,13,19, 


11,13,19, 


11,13,19, 


11,13,19, 


11,13,19, 


13,19, 




29,37 


29,37 


37 


37 


29,37 


29,37 


Q 






2 <i5 


2 d7 


2 71 


2 TA 


d 


11,13,19, 


11,13,19, 


13,19, 


11,13,19, 


11,13,19, 


11,13,19, 




29,37 


29,37 


29,37 


29,37 


29,37 


29,37 


Q 


2 77 


2 79 


2 83 


2 85 




2 95 


d 


11,13,19, 


11,13,19, 


11,13,19, 


11,13,19, 


11,13,19, 


13,19,29, 




37 


29,37 


37 


29,37 


29,37 


37 



Table 1. Fields from size 2 40 to 2 100 and matrices from 
size 11 to 50 that satisfy those five conditions. 



So now it is clear, that there are a lot of choices for parameters for the 
ElGamal cryptosystem over circulant matrices. We describe our findings 
with some arbitrary examples. For more data see Tabled 

In the case, q = 2 89 , d = 13, we found the largest prime factor of the 
order of A to be 

7993364465170792998716337691033251350895453313. 

The base two logarithm of this prime is 152.5. So even if we use the Pohlig- 
Hellman algorithm to reduce the discrete logarithm in A, to the discrete 
logarithm problem in the prime factors of the order of A, we still have the 
security very close to the 80-bit security from generic attacks. The security 
against the index calculus is the same as in IF21068 • 

In case of q = 2 39 , d = 29, the largest prime factor of A was 

3194753987813988499397428643895659569. 

The logarithm base 2 of which is about 120. So from generic attack, the 
security is about 2 60 or sixty bit security. From index calculus the security 
is the same as the security of a field of size F 2 io92 . 

In the case of q = 2 45 , d = 29, the largest prime factor of the order of A 
is 15169173997557864184867895400813639018421 with more than 60 bit 
security. The security against the index calculus is equivalent to F 2 i2eo . 

In the case of q = 2 9T , d = 11, the largest prime divisor of A is 

50996843392805314313033252108853668830963472293743769141- 

06957559915561, 

the logarithm base 2 is 231. Security from generic attacks is 115 bits and 
from index calculus is equivalent to the field F 2 97o, i.e., 970 bits security. 
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In the case of q = 2 , d = 29, the largest prime factor of the order is 

1597133026914484603924687622599912490649282490944114- 

1855981389550399714935349, 

the logarithm of that is 253. So this has about 125 bit security from the 
generic attacks and 1204 bit security from index calculus attack. 
In the case of q = 2 29 , d = 37, the largest prime factor is 

328017025014102923449988663752960080886511412965881, 

with logarithm 167, i.e., security of more than 80 bits from generic attacks 
and 1044 bits from index calculus. 

Using GAP [3 J, we created Tabled In this table, all extensions q, q from 
2 45 to 2 90 and all primes from 10 to 20 are considered. For those extensions 
and primes, it was checked if q is primitive mod d. If that was so, then 
the circulant matrix A was constructed and both the generic and the index 
calculus security was tabulated. 

5.1. Complexity of exponentiation of a circulant matrix of size d. Let 

us assume, that the circulant matrix of size d is A and we are raising it to 
power m, i.e., compute A m . We are using the square and multiply algo- 
rithm. We know that squaring of circulants is free, and multiplication of 
two circulant matrices of size d takes about d 2 field multiplications. The 
number of multiplications in the exponentiation is the same as the num- 
ber of ones in the binary expansion of m. It is expected that a finite random 
string of zeros and ones will have about the same number of zeros and ones. 
So the expected number of ones in the binary expansion of m is | log 2 m. 
So the expected number of field multiplications required to compute A m is 
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13 


77 
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19 


207 
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